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Abstract 

We realize shamir’s no-key protocol via quantum computation of Boolean 
permutation and private quantum channel. The quantum no-key (QNK) 
protocol presented here is one with mutual authentications, and proved to 
be unconditionally secure. An important property of this protocol is thatO 
its authentication key can be reused permanently. 
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1. Introduction 

No-key protocol was first proposed by Shamir [I] which can be used to 
transmit classical messages secretly in public channel without public key or 
secret key. Shamir’s protocol is based on discrete logarithm problem which 
cannot resist a man-in-the-middle (MIM) attack. The quantum version of 
no-key protocol based on single-photon rotations was developed in (2, 0]. 
The security of quantum no-key (QNK) protocol is based on the laws of 
quantum mechanics, rather than computational hypothesis. Other similar 
protocols were proposed [3-0]. A protocol proposed in [7] with inherent 
identification is based on quantum computing of Boolean functions which can 
prevent MIM attack. Ref. [§] proposed a practical quantum no-key protocol 
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with mutual identification, and present a newly attack named unbalance-of- 
information-source (UIS) attack. A 9-round QNK protocol with data origin 
authentication which achieves perfect security was constructed in [9*]. Ref. 
BEH are quantum message oriented protocols which is the development of 
Shannon’s one-time-pad encryption scheme in classical cryptography. Ref. 
[12J presents some development of those quantum one-time pad schemes. In 
this _paper, we propose a QNK protocol based on the algorithm presented in 

0 m 


2. Quantum no-key scheme with interactive identification 

2.1. Private quantum channel 


Ambainis et al. 


Ill ] defined PQC with an ancillary quantum state. Sup¬ 
pose Uk, k — 1, 2, ■ • ■ , N is a set of operations. Each element Uk is a 2 n x 2 n 
unitary matrix. Let the plaintext state be a n-qubit quantum message p. In 
the encryption stage, Uk is applied to the quantum state, where k is a secret 
key. Pk represents the probability of choosing k as secret key. 


Pc = U k pU\. 

(1) 

To decrypt ciphertext, U' k is applied to p c , 


p = U\p c U k . 

(2) 

Quantum perfect encryption is defined in 11 : 
output state is an ultimately mixed state, that 

for every input state p, the 

is 

Y^PfVkpUl = ^ 

(3) 


k 


0] constructs one perfect encryption by choosing p k = Uk = X a Z l3 (a , /3 G 
{0, l} n ). Boykin and Roychowdhury prove that their construction is perfect. 


2.2. Scheme description 

Alice and Bob preshare bit strings s and r, s G {0, l} n , r G {0,l}t. Alice 
intends to transmit classical message x to Bob through quantum channel. 
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1. Alice randomly selects a^, Pa £ {0, l} n to encrypt \x)i(x\ with Y° A H 8a : 

Y aA H /SA \x) I (x\H 0A Y aA = m |rn)/(m|, (4) 

m 

The first register represents the encrytpion of plaintext. 

Then Alice does unitary transform U s on the quantum state: 

U s (y^a rn \m) I (m\ © |0) 7/ (0|)C/j 

m 

= cxm\ m )i( m \ <8> \F s (m)) n (F s (m)\, (5) 

m 

and uses r and a randomly selected bit string r A G {0, 1}5 to do 
exclusive-or operation to get: 

© \F s (m) © r\\r A ) n (F s (m) © r||r A |. (6) 

m 

The second register consists of the identity information about Alice. 
Finally Alice sends Bob registers /, II. 

2. Bob uses preshared .s to do the computation: 


U s 1 (^2a m \m)i{m\ © |F s (m) © 7'||r J 4)j/(i r s (m) © r||ru|)(74 1 ) t 

m 

= © |F s (m) ® F s (m) © r||r j4 )//(F s (m) © F s (m) © r-||r*^| 

m 

= ^OiJ\m)i{m\®\r\\r A ) II {r\\r A \, (7) 

m 

then Bob measures the second register to get the string r\\r A , if the 
first | bits are identical with r, he accepts that the message comes 
from Alice; otherwise, he aborts the scheme. 

Through verification, Bob randomly selects a#, Pb G {0, l} n , and uses 
Y a B}j^B pj encrypt: 

y *b H Pb^ a m \m)i (m|) H i3b Y oib — ^ a' m \m)i{m\. (8) 
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The first register contains the transmitted plaintext, and Bob will uses 
the third register to add his identity information. 

Bob does transform U s : 

® 10)m(0|)f/j 

m 

= a 'm\ rn }i( rn \ <s> \F s (m))ni(F s (m)l (9) 

m 

and uses r A and a randomly selected tr to do exclusive-or operation, 
the quantum state becomes: 

y^a4jm)/(m| © \F s (m) <£>r A \\r B )iii(F s (m) ®r A \\r B \- (10) 

m 


then sends Alice registers I, III. 

3. Alice uses s to disentangle the registers: 

U~ 1 (y^a m \m) I (m\ © | F s {m) © r A \\r B )iii(F s (m) © r j4 ||r B |)(C/ s _1 ) t 

m 

= ^2 a m\ m )i( m \ ® \r A \\r B )iii(r A \\r B \. (11) 

m 

Afterwards Alice measures the third register, if first part of the result of 
measurement is equal to r A , she accepts the legality of Bob; otherwise, 
the scheme is aborted. 

Through verification, Alice decrypts with //'© Y ° A : 

Hf )A Y aA (22a' m \m) I (m\)Y aA H f)A = ^c£jm) 7 <m|, (12) 

m m 

and uses s to do transform U s as well as r, tr to do exclusive-or oper¬ 
ation: 

y^o4|m)/(m| © |0) iv (01 

m 

->• © \F s (m) © r B \\r c )iv{Fs(rn) © r B \\rc\, (13) 

m 

then sends Bob registers /, IV. 
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4. Bob uses s to do U s 1 transform to disentangle the registers: 

U 7 1 (^2 a m\ m )i( m \ ® I F s (m) ® r B \\r c )iv(Fs(rn) © r B ||r c |)(f/ s _1 ) t 
m 

= ^2 a "n\‘ m )i{ m \ ® \rB\\rc)iv{rB\\rc\- (14) 

m 

By measuring register IV, Bob can verify the legitimacy of Alice. He 
retains tq to replace r. So the preshared bit strings between Alice and 
Bob for the next session are s and re- 

If Bob makes sure that the message sender is Alice, he decrypts with 

fJ/3 B Y aB ■ 


HpBY a B(^2 a m \m) ^m^Y 018 H pB = |x) 7 (x|, (15) 

m 

finally Bob gets the transmitted message x. 

3. Security analysis 

In the first round communication, if the adversary intercept the trans¬ 
mitted message in the quantum channel, the message state for him is: 

<J\ = y, a m \m)i{m\ <g) \F s (m) © r\\r A )n(F s (m) © r\\r A \- (16) 

m,s,r,rA 

For every given input m, F s (m ) iterates through all the possible value. So the 
quantum state \F s (m) © r||r a) n{F s (m) © r11 r^ 4 1 is an ultimately mixed 

s,r,rA 

state which has nothing to do with the value of m. Part of the ciphertext 
state: Y2 a m\ m )i(m\ is obtained by performing H and Y on the plaintext 

m 

state. Now, we firstly prove that the following proposition. 

Proposition 1. {p k = U k = k = (a,/3),a,/3 G {0, l} n } is a 

quantum perfect encryption. 

Proof: Since {U^U^, oc, (3 G {0, l} n } is a complete orthonormal basis, 
any n-qubit state p can be represented as a linear combination of these 2 2n 
unitary matrixes: 

P=Y J a ^ U l U 2, 

a, (3 
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where a a p = tr^pU^U*) /2™. 
Thus, 


Y,p^p u i = 


2 2 r 


7,(5 


5 ] «a,/9 X] UiU$U?U$U%U? 


a,/3 7,(5 


From UiU -2 = — U 2 Ui,we have C/|C/f = (—l)"' <5 f/"f /2 • Thus, the above for¬ 
mula can be expressed as: 


1 


^ E “->/> (-if'uiuiu: 


2 2 ' 


a,/3 7,5 




P 

2 • 


a,/3 7,5 

Because ^ 7S { 0 1 }n(—l)^' 7 = Spp, the above formula is equal to: 

E^oWUS = a 0 oI = ^ I = —■ 

a,(3 

So, it is a quantum perfect encryption.□ 

Similarly, it’s easy to prove that {pk = Uy. = Y a H ^, k — (a, (3), a, /3 e 

{0, l} n } also forms a PQC. So ^o; m |m)/(m| is an ultimately mixed state. 

m 

Thus, the message state cq for the adversary is: 

cq = a m|^)/(^| © X^ l^( m ) © r\\r A )ii(F s (m) © r||r A | 


s,r,rA 


i i 
— © — 

2 « 2 n 

/ 

22 T 


(17) 


Since cq is an ultimately mixed state, the adversary cannot acquire anything 
by measuring it. 
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In the second round of communication, the transmitted message state 
becomes: 

0- 2 = ^2 a 'm\' m )i(' m \ ® \F s (m) ®r A \\r B ) ni (F 8 (m) ®r A \\r B \ (18) 

m,s,7*^4,r# 

Supposed that the adversary is able to intercept it, the quantum state for 
him is also an ultimately mixed state: 

^ < 1! >) 

Similarly, in the third round, the transmitted message state is also an 
ultimately mixed state: 

a 'rn\ m )i( m \ ® I Fs(m) © r B \\r c )iv(F s (m) © r B \\r c \ 

m 

I 

~ 2 ^' 

Above analysis shows that the preshard s, r and secret information x will 
not be disclosed to the attacker. MIM attack is not effective in this protocol. 
The adversary has no useful method to attack. 

Remark 1. There are many special cases satisfying the conditions of U i and 
f/ 2 , such as X and Z, X and Y. Y and //, X and //. Thus, the following 
examples are all quantum perfect encryptions. 

1. PQCl:{p fc = X.,U k = X a Z ( \ k — (a,/3),a,/3 e {0, l} n }. 

2 . PQC2:{p fc = U k = X a Y^ k = (a, 0), a, /3 e {0,1}"}. 

3. PQC3:{p fc = 2 h,U k = X a HP, k = (a, /3), a, /3 E {0, l} n }. 

4. PQC4:{p fc = ^,U k = Y a HP, k = (a,/3),a,/3 G {0,1}"}. 

1. When we choose the PQC1: {p k = , C4 = X a Z l3 ,a,/3 G {0, l} n } 

for QNK protocol, it is insecure to transmit classical information. Be¬ 
cause X operation is to reverse the bit and the function of Z oper¬ 
ation is to shift the phase. Thus the attacker can measure the ci¬ 
phertext state in the basis {|0), 11)} without breaking it. And be¬ 
cause the three ciphertext transmitted between Alice and Bob are 
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X° A Z' iA | rn ), X° B Z^ B X aA Z^ A \m),X° B Z^ B \m ), the attacker can ac- 
quire three strings a a © m, a B © a a © rn, a B © m by measuring the 
three ciphertext. The attacker can computes a B with the first string 
and the second string. Then he can computes the message m with the 
value of as and the third string. 

2. When choosing the PQC2: {p k = U k = X a Y^,a,/3 G {0,l} n } 
for the quantum no-key protocol, it is also unsafe to transmit classical 
information for the same reason. In this case, the three ciphers trans¬ 
mitted between Alice and Bob is X aA Y^ A \m),X aB Y^ B X aA Y^ A \m), 
X aB Y^ B \m), measuring the three ciphers can achieve the three strings 
®a © /3a © m, ocb © Pb © oi a © Pa © m, «b © Pb © m- The attacker can 
computes a B © Pb with the hrst string and the second string. Then he 
can computes the message m with the value of as © /3 B and the third 
string. 

3. In PQC3:{pfc = ^,14 = X a H^^k = (a,/3),a,/3 G {0, l} n }, X and Y 
do not satisfy the condition that X and Y should form an orthonormal 
basis. 

4. By using Y a H 13 in the protocol, the message is being encoded into 
the conjugate coding, and the flaw stated in the above disappears. If 
using POC1 and POC2, after the classical bits being encoded into 
computational basis state, it will stay in computational basis state 
during the exchange in the protocol. It is better to choose the PQC4: 
{Pk = 2 — Y a H l \k = (a,/3),a,/3 G {0, l} n } for the quantum 
no-key protocol. 

Next, we take another attack into account. Assume that the adversary 
intercepts all the transmitted ciphertext during one session between Alice and 
Bob. The transmitted ciphertext during the three rounds of communication 
are: 

c 1 

(72 

<73 
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= 22 a m\m)i{m\ © I F s (m) © r\\r A ) n {F s (m) © r\\r A \, 

m,s,r,rA 

= 22 a 'm\ m )i( m \ ® | F s (m) © r A \\rB)iii(F s (m) © r A \\r B \, 

m,s,rA,YB 

= 22 a 'rn\ m )i( m \ ® \ F s{rn) @ r B \\r c )iv(F s (m) @ r B \\r c \- 

m 



The whole quantum state from adversary’s viewpoint is: 

E E a mi a m 2 a mz \m 1 , m 2 , m 3 )/{mi, m 2 , m 3 \ 

mi,1712,m 3 s,r,r A ,r B „rc 

®\F s {;m 1 )®r\\r A F s {;m 2 )®r A \\r B ,F s {m 3 )®r B \\rc)ii x 
Xn{F s (m 1 ) © r\\r A , F a (m 2 ) © F s (m 3 ) © r B \\r c \. (21) 

In [ 9 ] , the conclusion is that the authentication key cannot be used forever 
in the QNK protocol with 3 rounds or less than 3 rounds of communication. 
If we consider the trace distance between the direct product of any two 
ciphertext among the three transmitted ciphertext in the proposed QNK 
protocol in Section 2, we cannot have the result that such trace distance 
is zero for different plaintext and authentication keys s, r. As a result, we 
cannot prove the permanent use of authentication keys s, r. Guaranteed 
by the no-cloning theorem, the adversary is unable to copy the unknown 
quantum state transmitted in the channel. The participants involved in 
the communication process send message with identification. The message 
without identity information is not send out into the channel. All the three 
ciphertext cannot be possessed by the adversary at the same time. So, the 
coefficients a mi , a m2 , a m3 are distributed in different time and space. The 
product of a mi , a m2 , a m is zero. Thus, it’s no use in computing the trace 
distance between the direct product of any two ciphertext among the three 
transmitted ciphertext. Moreover, it’s also no used in demonstrating that 
the quantum state show in formula 21 is an ultimately mixed state. 

4. Discussion 

QNK protocol cannot resist MIM attack without identification. The QNK 
protocol based on PQC without identification is as bellow: 

1. Alice encrypts p with Y aA H ^ A , and sends Bob p 1 = Y aA H^ A pH^ A Y aA . 

2. Bob encrypts p 3 with Y aB H l3B and sends Alice p 2 = Y aB H^ B p 1 H^ B Y° iB . 

3. Alice decrypts p 2 with H /3a Y°‘ a and sends Bob p 3 = H^ A Y aA p 2 Y aA H^ A . 

4. Bob decrypts p 3 with H^bY® 13 to recover p. 
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If attacker Eve intercepts the message pi from Alice, he randomly selects 
bit strings and (3e to encrypt p\ and sends Alice p 2 = Y aE H 3fi p \ H fie Y° E . 
Alices decrypts p 2 with H^ A Y aA and sends Eve p 3 = H^ A Y aA p 2 Y OLA H /3A . Eve 
receives p 3 and decrypts it with H^ E Y aE . Finally, Eve can get message p 
successfully. 

In section 2, we add identification into the protocol to resist MIM attack. 
Preshard information r and s are necessary in identifying the communicators, 
so the privacy of r and s are important. We use local random string r^, rs, 
Boolean permutation F s {-) and quantum entanglement to protect the Alice 
and Bob’s preshared bit strings r and s. 

Since the plaintext is encrypted by quantum perfect encyrtion transfro- 
mation, the ciphertext state is an ultimately mixed which has nothing to do 
with the plaintext. In the protocol descryption, we take classical message 
as example. Moreover, the QNK protocol with identikcaiton can be used to 
transmit quantum message. 

5. Conclusions 

Quantum no-key encryption protocols are presented based on quantum 
perfect encryption. We make use of random bit strings, Boolean permutation 
and the property of entanglement to ensure protocols’ security. This protocol 
with identification can resist MIM attack. The security analysis shows that 
the pieces of ciphertext of the three rounds are all ultimately mixed states, 
and the authentication keys can be reused permanently. 
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